fix: improve action security
This commit is contained in:
parent
ed28943b54
commit
b3d7eb99eb
@ -4,9 +4,28 @@ import { revalidatePath } from "next/cache";
|
||||
import { eq } from "drizzle-orm";
|
||||
import { db } from "@/lib/db";
|
||||
import { blocksTable, IBlock } from "@/lib/db/schema";
|
||||
import { requireAuth } from "./auth";
|
||||
import { assertNoteOwner } from "./notes";
|
||||
|
||||
export async function assertBlockOwner(blockId: string): Promise<boolean> {
|
||||
const user = await requireAuth();
|
||||
|
||||
const block = await db.query.blocksTable.findFirst({
|
||||
where: eq(blocksTable.id, blockId),
|
||||
with: { note: true },
|
||||
});
|
||||
if (!block) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return block.note.authorId === user.id;
|
||||
}
|
||||
|
||||
export async function createBlock(formData: FormData) {
|
||||
const noteId = formData.get("noteId") as string;
|
||||
const isAllowed = await assertNoteOwner(noteId);
|
||||
if (!isAllowed) return;
|
||||
|
||||
const blocks = await getBlocks(noteId);
|
||||
const lastBlock = blocks.pop();
|
||||
const order = lastBlock === undefined ? 1 : lastBlock.order + 1;
|
||||
@ -17,6 +36,9 @@ export async function createBlock(formData: FormData) {
|
||||
}
|
||||
|
||||
async function getBlock(blockId: string): Promise<IBlock | null> {
|
||||
const isAllowed = await assertBlockOwner(blockId);
|
||||
if (!isAllowed) return null;
|
||||
|
||||
const blocks = await db
|
||||
.select()
|
||||
.from(blocksTable)
|
||||
@ -29,6 +51,8 @@ async function getBlock(blockId: string): Promise<IBlock | null> {
|
||||
}
|
||||
|
||||
export async function getBlocks(noteId: string): Promise<IBlock[]> {
|
||||
const isAllowed = await assertNoteOwner(noteId);
|
||||
if (!isAllowed) return [];
|
||||
return db
|
||||
.select()
|
||||
.from(blocksTable)
|
||||
@ -38,6 +62,8 @@ export async function getBlocks(noteId: string): Promise<IBlock[]> {
|
||||
|
||||
export async function deleteBlock(formData: FormData) {
|
||||
const blockId = formData.get("blockId") as string;
|
||||
const isAllowed = await assertBlockOwner(blockId);
|
||||
if (!isAllowed) return;
|
||||
await db
|
||||
.delete(blocksTable)
|
||||
.where(eq(blocksTable.id, blockId));
|
||||
@ -47,6 +73,8 @@ export async function deleteBlock(formData: FormData) {
|
||||
export async function changeLock(formData: FormData) {
|
||||
const blockId = formData.get("blockId") as string;
|
||||
const isLocked = formData.get("isLocked") === null ? false : true;
|
||||
const isAllowed = await assertBlockOwner(blockId);
|
||||
if (!isAllowed) return;
|
||||
await db
|
||||
.update(blocksTable)
|
||||
.set({ isLocked })
|
||||
@ -56,6 +84,8 @@ export async function changeLock(formData: FormData) {
|
||||
|
||||
export async function addLine(formData: FormData) {
|
||||
const blockId = formData.get("blockId") as string;
|
||||
const isAllowed = await assertBlockOwner(blockId);
|
||||
if (!isAllowed) return;
|
||||
const blocks = await db
|
||||
.select()
|
||||
.from(blocksTable)
|
||||
@ -74,6 +104,8 @@ export async function addLine(formData: FormData) {
|
||||
export async function deleteLine(formData: FormData) {
|
||||
const blockId = formData.get("blockId") as string;
|
||||
const block = await getBlock(blockId);
|
||||
const isAllowed = await assertBlockOwner(blockId);
|
||||
if (!isAllowed) return;
|
||||
if (!block) {
|
||||
return;
|
||||
}
|
||||
@ -86,6 +118,8 @@ export async function deleteLine(formData: FormData) {
|
||||
|
||||
export async function moveUp(formData: FormData) {
|
||||
const blockId = formData.get("blockId") as string;
|
||||
const isAllowed = await assertBlockOwner(blockId);
|
||||
if (!isAllowed) return;
|
||||
const block = await getBlock(blockId);
|
||||
if (!block) return;
|
||||
|
||||
@ -112,6 +146,8 @@ export async function moveUp(formData: FormData) {
|
||||
|
||||
export async function moveDown(formData: FormData) {
|
||||
const blockId = formData.get("blockId") as string;
|
||||
const isAllowed = await assertBlockOwner(blockId);
|
||||
if (!isAllowed) return;
|
||||
const block = await getBlock(blockId);
|
||||
if (!block) return;
|
||||
|
||||
@ -137,7 +173,8 @@ export async function moveDown(formData: FormData) {
|
||||
}
|
||||
|
||||
export async function setLines(blockId: string, lines: string[]) {
|
||||
console.log(lines)
|
||||
const isAllowed = await assertBlockOwner(blockId);
|
||||
if (!isAllowed) return;
|
||||
await db
|
||||
.update(blocksTable)
|
||||
.set({ lines })
|
||||
@ -145,6 +182,8 @@ export async function setLines(blockId: string, lines: string[]) {
|
||||
}
|
||||
|
||||
export async function setTag(blockId: string, tag: string) {
|
||||
const isAllowed = await assertBlockOwner(blockId);
|
||||
if (!isAllowed) return;
|
||||
await db
|
||||
.update(blocksTable)
|
||||
.set({ tag })
|
||||
|
||||
@ -7,6 +7,19 @@ import { blocksTable, INote, notesTable, usersTable } from "@/lib/db/schema";
|
||||
import { requireAuth } from "./auth";
|
||||
import { db } from "@/lib/db";
|
||||
|
||||
export async function assertNoteOwner(noteId: string): Promise<boolean> {
|
||||
const user = await requireAuth();
|
||||
|
||||
const note = await db.query.notesTable.findFirst({
|
||||
where: eq(notesTable.id, noteId),
|
||||
});
|
||||
if (!note) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return note.authorId === user.id;
|
||||
}
|
||||
|
||||
export async function createNote() {
|
||||
const user = await requireAuth();
|
||||
const result = await db
|
||||
@ -47,6 +60,7 @@ export async function deleteNote(formData: FormData) {
|
||||
}
|
||||
|
||||
export async function setTitle(noteId: string, title: string) {
|
||||
if (title === "") return;
|
||||
await db
|
||||
.update(notesTable)
|
||||
.set({ title })
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
import { ChangeEvent, useState } from "react";
|
||||
import { ArrowDown, ArrowUp, LockOpen, Lock, Minus, Plus, X } from "lucide-react";
|
||||
import { addLine, changeLock, deleteBlock, deleteLine, moveDown, moveUp, setLines } from "@/app/actions/blocks";
|
||||
import { addLine, changeLock, deleteBlock, deleteLine, moveDown, moveUp, setLines, setTag } from "@/app/actions/blocks";
|
||||
import { useDebounce } from "@/lib/hooks/useDebounce";
|
||||
import { IBlock } from "@/lib/db/schema";
|
||||
import IconOnlyButton from "../ui/IconOnlyButton";
|
||||
@ -8,11 +8,16 @@ import LineInput from "./LineInput";
|
||||
|
||||
export default function Block({ block }: { block: IBlock }) {
|
||||
const [lines, setLinesState] = useState(block.lines);
|
||||
const [tag, setTagState] = useState(block.tag);
|
||||
|
||||
useDebounce(() => {
|
||||
setLines(block.id, lines);
|
||||
}, [lines]);
|
||||
|
||||
useDebounce(() => {
|
||||
setTag(block.id, tag);
|
||||
}, [tag]);
|
||||
|
||||
const lineChangeHandler = (i: number, e: ChangeEvent<HTMLInputElement>) => {
|
||||
const newLines = [...lines];
|
||||
newLines[i] = e.target.value;
|
||||
@ -26,11 +31,17 @@ export default function Block({ block }: { block: IBlock }) {
|
||||
type="text"
|
||||
placeholder="enter tag..."
|
||||
className="w-full focus:outline-none"
|
||||
defaultValue={block.tag}
|
||||
onChange={(e) => setTagState(e.target.value)}
|
||||
value={tag}
|
||||
disabled={block.isLocked}
|
||||
/>
|
||||
{block.lines.map((line, i) => (
|
||||
<LineInput key={i} defaultValue={line} disabled={block.isLocked} onChange={(e) => lineChangeHandler(i, e)} />
|
||||
<LineInput
|
||||
key={i}
|
||||
defaultValue={line}
|
||||
disabled={block.isLocked}
|
||||
onChange={(e) => lineChangeHandler(i, e)}
|
||||
/>
|
||||
))}
|
||||
<div className="flex items-center mx-2 mt-2">
|
||||
<div className="flex gap-1 mr-4">
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
import { drizzle } from 'drizzle-orm/node-postgres';
|
||||
import * as schema from "./schema";
|
||||
|
||||
export const db = drizzle<typeof schema>(process.env.DATABASE_URL!);
|
||||
export const db = drizzle(process.env.DATABASE_URL!, { schema });
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user